<!DOCTYPE html SYSTEM "about:legacy-compat">
<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 8 Configuration Reference (8.0.39) - The Cookie Processor Component</title><script type="application/javascript" data-comments-identifier="tomcat-8.0-doc/config/cookie-processor">
    "use strict"; // Enable strict mode

    (function() {
      var thisScript = document.currentScript;
      if (!thisScript) { // Workaround for IE <= 11
        var scripts = document.getElementsByTagName("script");
        thisScript = scripts[scripts.length - 1];
      }
      document.addEventListener("DOMContentLoaded", (function() {
        var commentsDiv = document.getElementById("comments_thread");
        var commentsShortname = "tomcat";
        var commentsIdentifier = "http://tomcat.apache.org/" +
          thisScript.getAttribute("data-comments-identifier") + ".html";

        (function(w, d) {
          if (w.location.hostname.toLowerCase() == "tomcat.apache.org") {
            var s = d.createElement("script");
            s.type = "application/javascript";
            s.async = true;
            s.src = "https://comments.apache.org/show_comments.lua?site=" +
              encodeURIComponent(commentsShortname) +
              "&page=" + encodeURIComponent(commentsIdentifier);
            d.head.appendChild(s);
          } else {
            commentsDiv.appendChild(d.createTextNode("Comments are disabled for this page at the moment."));
          }
        })(window, document);
      }), false);
    })();
  </script></head><body><div id="wrapper"><header><div id="header"><div><div><div class="logo noPrint"><a href="http://tomcat.apache.org/"><img alt="Tomcat Home" src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div class="asfLogo noPrint"><a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a></div><h1>Apache Tomcat 8 Configuration Reference</h1><div class="versionInfo">
          Version 8.0.39,
          <time datetime="2016-11-09">Nov 9 2016</time></div><div style="height: 1px;"></div><div style="clear: left;"></div></div></div></div></header><div id="middle"><div><div id="mainLeft" class="noprint"><div><nav><div><h2>Links</h2><ul><li><a href="../index.html">Docs Home</a></li><li><a href="index.html">Config Ref. Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User Comments</a></li></ul></div><div><h2>Top Level Elements</h2><ul><li><a href="server.html">Server</a></li><li><a href="service.html">Service</a></li></ul></div><div><h2>Executors</h2><ul><li><a href="executor.html">Executor</a></li></ul></div><div><h2>Connectors</h2><ul><li><a href="http.html">HTTP</a></li><li><a href="ajp.html">AJP</a></li></ul></div><div><h2>Containers</h2><ul><li><a href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul></div><div><h2>Nested Components</h2><ul><li><a href="cookie-processor.html">CookieProcessor</a></li><li><a href="credentialhandler.html">CredentialHandler</a></li><li><a href="globalresources.html">Global Resources</a></li><li><a href="jar-scanner.html">JarScanner</a></li><li><a href="jar-scan-filter.html">JarScanFilter</a></li><li><a href="listeners.html">Listeners</a></li><li><a href="loader.html">Loader</a></li><li><a href="manager.html">Manager</a></li><li><a href="realm.html">Realm</a></li><li><a href="resources.html">Resources</a></li><li><a href="sessionidgenerator.html">SessionIdGenerator</a></li><li><a href="valve.html">Valve</a></li></ul></div><div><h2>Cluster Elements</h2><ul><li><a href="cluster.html">Cluster</a></li><li><a href="cluster-manager.html">Manager</a></li><li><a href="cluster-channel.html">Channel</a></li><li><a href="cluster-membership.html">Channel/Membership</a></li><li><a href="cluster-sender.html">Channel/Sender</a></li><li><a href="cluster-receiver.html">Channel/Receiver</a></li><li><a href="cluster-interceptor.html">Channel/Interceptor</a></li><li><a href="cluster-valve.html">Valve</a></li><li><a href="cluster-deployer.html">Deployer</a></li><li><a href="cluster-listener.html">ClusterListener</a></li></ul></div><div><h2>web.xml</h2><ul><li><a href="filter.html">Filter</a></li></ul></div><div><h2>Other</h2><ul><li><a href="systemprops.html">System properties</a></li></ul></div></nav></div></div><div id="mainRight"><div id="content"><h2>The Cookie Processor Component</h2><h3 id="Table_of_Contents">Table of Contents</h3><div class="text">
<ul><li><a href="#Introduction">Introduction</a></li><li><a href="#Attributes">Attributes</a><ol><li><a href="#Common_Attributes">Common Attributes</a></li><li><a href="#Standard_Implementation">Standard Implementation</a></li><li><a href="#RFC_6265_Cookie_Processor_-_org.apache.tomcat.util.http.Rfc6265CookieProcessor">RFC 6265 Cookie Processor - org.apache.tomcat.util.http.Rfc6265CookieProcessor</a></li></ol></li><li><a href="#Nested_Components">Nested Components</a></li><li><a href="#Special_Features">Special Features</a></li></ul>
</div><h3 id="Introduction">Introduction</h3><div class="text">

  <p>The <strong>CookieProcessor</strong> element represents the component that
  parses received cookie headers into <code>javax.servlet.http.Cookie</code>
  objects accessible through <code>HttpServletRequest.getCookies()</code> and
  converts <code>javax.servlet.http.Cookie</code> objects added to the response
  through <code>HttpServletResponse.addCookie()</code> to the HTTP headers
  returned to the client.</p>

  <p>A CookieProcessor element MAY be nested inside a
  <a href="context.html">Context</a> component. If it is not included, a default
  implementation will be created automatically.</p>

  <p><strong>Note:</strong> <strong>CookieProcessor</strong> is a new
  configuration element, introduced in Tomcat 8.0.15.</p>
  <ul>
    <li>The <strong>CookieProcessor</strong> element allows different cookie
    parsing configuration in each web application, or globally in the default
    <code>conf/context.xml</code> file. The legacy cookie parsing algorithm
    supported only limited global configuration via several
    <a href="systemprops.html#Specifications">system properties</a>. Those
    system properties are still supported, but are going to be deprecated in
    favor of this new configuration element.
    </li>
    <li>The new RFC6265-compliant implementation is a drop-in replacement for
    the original legacy one. The legacy implementation remains the default. You
    can select the implementation by setting <code>className</code> attribute
    on <strong>CookieProcessor</strong> element.</li>
  </ul>

</div><h3 id="Attributes">Attributes</h3><div class="text">

  <div class="subsection"><h4 id="Common_Attributes">Common Attributes</h4><div class="text">

    <p>All implementations of <strong>CookieProcessor</strong> support the
    following attributes:</p>

    <table class="defaultTable"><tr><th style="width: 15%;">
          Attribute
        </th><th style="width: 85%;">
          Description
        </th></tr><tr><td><code class="attributeName">className</code></td><td>
        <p>Java class name of the implementation to use. This class must
        implement the <code>org.apache.tomcat.util.http.CookieProcessor</code>
        interface. If not specified, the standard value (defined below) will be
        used.</p>
      </td></tr></table>

  </div></div>


  <div class="subsection"><h4 id="Standard_Implementation">Standard Implementation</h4><div class="text">

    <p>The standard implementation of <strong>CookieProcessor</strong> is
    <code>org.apache.tomcat.util.http.LegacyCookieProcessor</code>. Note
    that it is anticipated that this will change to
    <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code> in a future
    Tomcat 8 release.</p>

    <p>This is the legacy  cookie parser based on RFC6265, RFC2109 and RFC2616.
    It implements a strict interpretation of the cookie specifications. Due to
    various interoperability issues with browsers not all strict behaviours
    are enabled by default and additional options are available to further
    relax the behaviour of this cookie processor if required.</p>

    <table class="defaultTable"><tr><th style="width: 15%;">
          Attribute
        </th><th style="width: 85%;">
          Description
        </th></tr><tr><td><code class="attributeName">allowEqualsInValue</code></td><td>
        <p>If this is <code>true</code> Tomcat will allow '<code>=</code>'
        characters when parsing unquoted cookie values. If <code>false</code>,
        cookie values containing '<code>=</code>' will be terminated when the
        '<code>=</code>' is encountered and the remainder of the cookie value
        will be dropped.</p>
        <p>If not set the specification compliant default value of
        <code>false</code> will be used. This default may be changed by setting
        the
        <code>org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE</code>
        <a href="systemprops.html">system property</a>.</p>
      </td></tr><tr><td><code class="attributeName">allowHttpSepsInV0</code></td><td>
        <p>If this is <code>true</code> Tomcat will allow HTTP separators in
        cookie names and values.</p>
        <p>If not specified, the default specification compliant value of
        <code>false</code> will be used. This default may be changed by setting
        the
        <code>org.apache.tomcat.util.http.ServerCookie.ALLOW_HTTP_SEPARATORS_IN_V0</code>
        <a href="systemprops.html">system property</a>.</p>
      </td></tr><tr><td><code class="attributeName">allowNameOnly</code></td><td>
        <p>If this is <code>true</code> Tomcat will allow name only cookies
        (with or without trailing '<code>=</code>') when parsing cookie headers.
        If <code>false</code>, name only cookies will be dropped.</p>
        <p>If not set the specification compliant default value of
        <code>false</code> will be used. This default may be changed by setting
        the
        <code>org.apache.tomcat.util.http.ServerCookie.ALLOW_NAME_ONLY</code>
        <a href="systemprops.html">system property</a>.</p>
      </td></tr><tr><td><code class="attributeName">alwaysAddExpires</code></td><td>
        <p>If this is <code>true</code> Tomcat will always add an expires
        parameter to a SetCookie header even for cookies with version greater
        than zero. This is to work around a known IE6 and IE7 bug that causes I
        to ignore the Max-Age parameter in a SetCookie header.</p>
        <p>If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> is set
        to <code>true</code>, the default of this setting will be
        <code>false</code>, else the default value will be <code>true</code>.
        </p>
      </td></tr><tr><td><code class="attributeName">forwardSlashIsSeparator</code></td><td>
        <p>If this is <code>true</code> Tomcat will treat the forward slash
        character ('<code>/</code>') as an HTTP separator when processing cookie
        headers. If <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code>
        is set to <code>true</code>, the default of this setting will be
        <code>true</code>, else the default value will be <code>false</code>.
        This default may be overridden by setting the
        <code>org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR</code>
        system property.</p>
      </td></tr><tr><td><code class="attributeName">preserveCookieHeader</code></td><td>
        <p>This attribute is no longer used. From Tomcat 8.0.31, Tomcat will
        always preserve the cookie header returned by
        <code>HttpServletRequest.getHeader()</code>.</p>
      </td></tr></table>

  </div></div>

  <div class="subsection"><h4 id="RFC_6265_Cookie_Processor_-_org.apache.tomcat.util.http.Rfc6265CookieProcessor">RFC 6265 Cookie Processor - org.apache.tomcat.util.http.Rfc6265CookieProcessor</h4><div class="text">

    <p>This cookie processor is based on RFC6265 with the following changes to
    support better interoperability:</p>

    <ul>
      <li>Values 0x80 to 0xFF are permitted in cookie-octet to support the use
      of UTF-8 in cookie values as used by HTML 5.</li>
      <li>For cookies without a value, the '=' is not required after the name as
      some browsers do not sent it.</li>
    </ul>

    <p>The RFC 6265 cookie processor is generally more lenient than the legacy
    cookie parser. In particular:</p>

    <ul>
      <li>The '<code>=</code>' and '<code>/</code>' characters are always
      permitted in a cookie value.</li>
      <li>Name only cookies are always permitted.</li>
      <li>The cookie header is always preserved.</li>
    </ul>

    <p>No additional attributes are supported by the <strong>RFC 6265 Cookie
    Processor</strong>.</p>

  </div></div>

</div><h3 id="Nested_Components">Nested Components</h3><div class="text">

  <p>No element may be nested inside a <strong>CookieProcessor</strong>.</p>

</div><h3 id="Special_Features">Special Features</h3><div class="text">

  <p>No special features are associated with a <strong>CookieProcessor</strong>
  element.</p>

</div><div class="noprint"><h3 id="comments_section">
                  Comments
                </h3><div class="text"><p class="notice"><strong>Notice: </strong>This comments section collects your suggestions
                    on improving documentation for Apache Tomcat.<br><br>
                    If you have trouble and need help, read
                    <a href="http://tomcat.apache.org/findhelp.html">Find Help</a> page
                    and ask your question on the tomcat-users
                    <a href="http://tomcat.apache.org/lists.html">mailing list</a>.
                    Do not ask such questions here. This is not a Q&amp;A section.<br><br>
                    The Apache Comments System is explained <a href="../comments.html">here</a>.
                    Comments may be removed by our moderators if they are either
                    implemented or considered invalid/off-topic.
                  </p><div id="comments_thread"></div></div></div></div></div></div></div><footer><div id="footer">
    Copyright &copy; 1999-2016, The Apache Software Foundation
  </div></footer></div></body></html>